Sklar Research, Reports & Articles

10 Best Practices Against Cyber Security Threats, Part 1

A major challenge healthcare facilities face daily is protecting sensitive data and patient files in a technologically advanced world. More than ever, hackers and identity theft thieves are targeting healthcare facilities and their sensitive data.

Data, information and operational threats to security are attempted through several channels – and via both technological and human intervention. If ignored, healthcare facilities will experience a significant impact on employee, patient and security material safety. The effect on healthcare costs and budgets is significant. Becker’s Hospital Review estimates “data breaches cost the industry about $5.6 billion each year”1.

Recently, Hollywood Presbyterian Medical Center in Los Angeles experienced a ransomware threat which cost them $17,000 to regain computer access and decrypt their files. The cyber criminals caused an interruption in operations for two weeks as the hospital had to transfer patients to different hospitals. "Medical records were kept using pen and paper, and staff resorted to communicating by fax.”4 According to Sam Wong, of NewScientist.com, “one ransomware package, CryptoLocker 3.0, is thought to have earned attackers $325 million in 2015 alone.”4

Strict policies and procedures against security threats are an ongoing battle for most providers and IT departments, but there are strategies to protect a facility against security breaches. “The Health Information Technology for Economic and Clinical Health Act (HITECH) rules are fully in place, a broad range of business associates should be in compliance. The enforcement process, while resulting in modestly growing actions, seems reasonable and focused on meaningful problems.”3

In the first part of this article, I will discuss five cyber security threats and identify key strategic recommendations from professionals to thwart attacks.

Ransomware Threats

What is it? Currently the most prevalent cyber security fiasco in the healthcare industry. By definition, ransomware “works by infecting a computer, locking users out of the system (usually by encrypting the data on the hard drive), and then holding the decryption or other release key ransom until the victim pays a fee, usually in Bitcoin.”5 This type of cyber attack has skyrocketed in frequency within the last few months. Nearly 50 attacks have been recorded worldwide, particularly in England and Russia.

Who are most vulnerable? Ransomware tends to target larger facilities rather than individuals. High profile businesses that have the funds to pay the large ransom. Any computer that has a weak security system, or computer software that has not been recently updated.

How can I prevent this attack?Develop a contingency plan in the event of a ransomware attack. Avoid untrusted links. Be wary of spam and phishing in emails or messaging programs. Always back up your files as a precaution. Most importantly, install security software programs and maintain updates. Additional help can be found on this YouTube discussion.

Phishing Attacks

What is it? Phishing attacks are usually accessed through emails requesting sensitive information or login credentials. They are sent by businesses or personal accounts disguised to trick the victim into believing they know the sender. Phishing is ultimately used to collect private and sensitive information about a patient or healthcare facility for a variety of reasons.

Who are the most vulnerable? Any healthcare facility that uses EHR, emails, or online databases. Virtually anyone is prone to this type of attack. They are more common than other cyber security threats, but very preventable.

How can I prevent this attack? Always be aware of suspicious emails that requests sensitive information. When in doubt, confirm the legitimacy of the request by speaking to the sender, if possible, or the IT department. Becker’s Hospital Review recommends “doctors should always closely evaluate any requests that come in for file sharing, ensuring it's a real request from a verified healthcare professional before sending anything.”1 Lastly, install security software programs to monitor any threats and maintain updates.

Malware

What is it? Similar to ransomware, malware takes advantage of phishing attacks and access your network through encryption and software vulnerabilities. Malware attacks can be hard to decipher; installing security programs will prevent any attacks from occurring.

Who are the most vulnerable? Any healthcare facility that uses EHR, emails, or online databases, and hospitals who have weak security software. Just like phishing attacks, virtually anyone is prone.

How can I prevent this attack? Exercise security methods similar to phishing prevention. Always be aware of suspicious emails that requests sensitive information. When in doubt, confirm the legitimacy of the request by speaking to the sender, if possible, or the IT department. Again, Becker’s urges close scrutiny to ensure the request came from a verified healthcare professional. Lastly, install security software programs to monitor any threats and maintain updates.

Mobile Devices

What is it?Mobile devices running mobile applications, such asmHealth, are a risk in the healthcare industry because most mobile devices are not secure. Information stored in mobile devices is a security risk because most manufacturers do not build programs to fight againstcyber securitythreats or data breaches.

Who are the most vulnerable? Organizations that use programs on mobile devices.

How can I prevent this attack?According toHealth Data Management, “If data does not have to be on a mobile device, then it shouldn’t be put on it.”2

Class III Medical Devices

What is it?Class III medical devices pose the largest security threat of any class. Many class III medical devices are not reviewed or approved by the IT department before use. As a result they are not scanned for malware, viruses or secure data programs, therefore generating an opportunity for a breach in healthcare data security.TechTarget Network, a leader in technology research, states “the influx of medical devices into health organizations, often without the knowledge of IT, may be adding to existing security problems.”7

Who are the most vulnerable? Any healthcare facility using class III medical devices. IT departments that do not monitor and scan new class III medical devices upon arrival.

TechTarget offers these questions to consider when identifying data on medical devices:

"What kind of data is being stored? Is it persistent? Is it static? Is it dynamic? What is the category of risk that we assign to the device based on the understanding of data and location and then motion of data?"7

How can I prevent this attack?Review and scan all new class III medical devices upon delivery to any department. Assess each device to determine which ones are at risk. Identify current security controls, perform updates, and monitor any suspicious activity. Maintain updates and complete regular patches. Implement stronger security methods within and beyond the IT department.

In summary,BloombergLaw Privacy and Data Security states, “There are far too many security breaches, new concerns like ransomware are threatening overall health-care operations, and the business developments involving big data and a broad range of new health-care technologies (such as mobile applications andwearables) threaten to break apart the protections of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) rules and expose the long-existing gaps in individual rights.”3